The Misunderstood "Quantum Supremacy": You Don't Need to Panic Before 2030

Currently, market predictions about when a "cryptography-related quantum computer (CRQC)" will be born are often overly aggressive and exaggerated—leading to calls for an immediate and comprehensive migration to post-quantum cryptography. However, these calls often overlook the costs and risks of premature migration, as well as the drastically different risk attributes between different cryptographic primitives: Post-quantum encryption does indeed need to be deployed immediately, despite its high costs: "Hunter-first-decrypt" (HNDL) attacks are already occurring. Sensitive data encrypted today may still be valuable even decades from now when quantum computers exist. While implementing post-quantum encryption incurs performance overhead and execution risks, those data requiring long-term confidentiality have no choice against HNDL attacks. Post-quantum signatures face a completely different computational logic: they are not affected by HNDL attacks. Moreover, the costs and risks of post-quantum signatures (larger size, worse performance, immature technology, and potential bugs) dictate that we need a thoughtful, rather than hasty, migration strategy. Clarifying these distinctions is crucial. Misunderstandings can distort cost-benefit analyses, causing teams to overlook more critical security risks—such as code bugs. The real challenge in migrating to post-quantum cryptography lies in aligning the sense of urgency with the actual threat. The following section clarifies common misconceptions about quantum threats by covering encryption, signatures, and zero-knowledge proofs (especially their impact on blockchain). How far are we from a quantum threat? Despite the hype, the likelihood of a "cryptography-related quantum computer (CRQC)" emerging in the 2020s is extremely low. By "CRQC," I mean a fault-tolerant, error-corrected quantum computer large enough to run Shor's algorithm to attack elliptic curve cryptography or RSA within a reasonable timeframe (e.g., breaking secp256k1 or RSA-2048 within a month at most). A reasonable reading of public milestones and resource estimates shows we are still a long way from building such a machine. While some companies claim a CRQC could emerge before 2030 or 2035, currently known progress does not support these claims. Objectively speaking, looking at all current technological architectures—ion traps, superconducting qubits, neutral atom systems—no platform today comes close to the hundreds of thousands to millions of physical qubits required to run Shor's algorithm (depending on the error rate and correction scheme). The limiting factors are not only the number of qubits, but also gate fidelities, qubit connectivity, and the depth of persistent error-correcting circuitry required to run deep quantum algorithms. While some systems now have more than 1,000 physical qubits, sheer numbers are misleading: these systems lack the connectivity and fidelity required for cryptographic computations. Recent systems are beginning to approach the threshold for effective quantum error correction in terms of physical error rate, but no one has yet demonstrated more than a few logical qubits with persistent error-correcting circuitry depth… let alone the thousands of high-fidelity, deep-circuit, fault-tolerant logical qubits actually required to run Shor's algorithm. The gap between "proving quantum error correction is feasible in principle" and "achieving the scale required for cryptanalysis" remains enormous. In short: unless both the number of qubits and fidelity increase by orders of magnitude, CRQC remains a distant dream. However, it's easy to be confused by corporate press releases and media reports. Here are some common sources of misunderstanding: Demonstrations claiming "quantum advantage": These demonstrations currently target artificially designed tasks. These tasks are chosen not because they are practical, but because they can run on existing hardware and exhibit significant quantum speedups—a point often obscured in announcements. Companies claiming to have thousands of physical qubits: This usually refers to quantum annealers, not the gate model machines needed to run Shor's algorithm to attack public-key cryptography. Misuse of the term "logical qubit": Quantum algorithms (such as Shor's algorithm) require thousands of stable logical qubits. Through quantum error correction, we can implement a single logical qubit using many physical qubits—typically hundreds to thousands. However, some companies have misused this term to an absurd degree. For example, a recent announcement claimed to have implemented 48 logical qubits using only two physical qubits per logical qubit. This low-redundancy code can only detect errors, not correct them. True fault-tolerant logical qubits used for cryptanalysis require hundreds to thousands of physical qubits each. Playing with the definition: Many roadmaps use "logical qubit" to refer to qubits that only support Clifford operations. These operations can be efficiently simulated by classical computers and are therefore insufficient for running Shor's algorithm. Even if a roadmap aims to "achieve thousands of logical qubits in year X," it doesn't mean the company expects to be able to run Shor's algorithm to break classical cryptography that year. These marketing tactics severely distort the public's (and even some seasoned observers') perception of the imminent threat of quantum mechanics. Nevertheless, some experts are indeed excited about the progress. Scott Aaronson recently stated that, given the pace of hardware advancements, he believes it's "possible to have a fault-tolerant quantum computer running Shor's algorithm before the next US presidential election." However, he also explicitly stated that this is not the same as a cryptographically threatening CRQC: even simply factoring 15 = 3 × 5 in a fault-tolerant system would be considered a "prophetic success." This is clearly not on the same scale as breaking RSA-2048. In fact, all quantum experiments that factorize 15 use simplified circuits, not the full fault-tolerant Shor's algorithm; factoring 21 requires additional hints and shortcuts. Simply put, there is no publicly available progress to prove that we can build a quantum computer capable of breaking RSA-2048 or secp256k1 within the next 5 years. Even within the next ten years, this remains a very aggressive prediction. The US government's proposed post-quantum migration of government systems by 2035 is a timeline for the migration project itself, not a prediction that CRQC will emerge at that time. Which types of cryptographic systems are HNDL attacks applicable to? "HNDL (Harvest Now, Decrypt Later)" refers to attackers storing encrypted communications now, intending to decrypt them later when quantum computers become available. Nation-level adversaries may already be archiving encrypted communications of the US government on a large scale for future decryption. Therefore, encryption systems need to migrate immediately, especially for scenarios with confidentiality periods of 10–50 years or more. However, digital signatures, upon which all blockchains rely, differ from encryption: they do not contain confidential information available for retroactive attacks. In other words, while it is possible to forge signatures from the moment quantum computers become available, past signatures will not be affected—because they have no secrets to reveal, and as long as it can be proven that a signature was generated before the advent of CRQC, it cannot be forged. Therefore, the urgency of migrating to post-quantum signatures is far less than that of encryption migration. Mainstream platforms have also adopted corresponding strategies: Chrome and Cloudflare have deployed hybrid X25519+ML-KEM for TLS. Apple iMessage (PQ3) and Signal (PQXDH, SPQR) have also deployed hybrid post-quantum cryptography. However, the deployment of post-quantum signatures on critical web infrastructure has been deliberately delayed—only to be implemented when CRQC is truly imminent, because the current performance regression of post-quantum signatures is still significant. The situation is similar for zkSNARKs (a zero-knowledge concise non-interactive knowledge proof technique). Even when using elliptic curve cryptography (non-PQ secure), its zero-knowledge property still holds in a quantum environment. Zero-knowledge guarantees that proofs do not reveal any secret witnesses, therefore attackers cannot "collect proofs now and decrypt them later." Therefore, zkSNARKs are not vulnerable to HNDL attacks. Just as signatures generated today are secure, any zkSNARK proof generated before the advent of quantum computers is credible—even if the zkSNARK uses elliptic curve cryptography. Only after the advent of CRQC can attackers forge proofs with false statements. Value exchange will occur day and night, constructing a completely new digital world far exceeding the scale of human economies.